Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems thehackernews.com/2025/04/r…

Cybersecurity researchers have uncovered three malicious packages in the npm registry that masquerade as a popular Telegram bot library but harbor SSH backdoors and data exfiltration capabilities. The packages in question are listed below - node-telegram-utils (132 downloads) node-telegram-bots-api (82 downloads) node-telegram-util (73 downloads) According to supply chain security firm Socket, the packages are designed to mimic node-telegram-bot-api, a popular Node.js Telegram Bot API with over 100,000 weekly downloads. The three libraries are still available for download. “While that number may sound modest, it only takes a single compromised environment to pave the way for wide-scale infiltration or unauthorized data access,” security researcher Kush Pandya said. “Supply chain security incidents repeatedly show that even a handful of installs can have catastrophic repercussions, especially when attackers gain direct access to developer systems or production servers.” The rogue packages not only replicate the description of the legitimate library, but also leverage a technique called starjacking in a bid to elevate the authenticity and trick unsuspecting developers into downloading them.